b"                       AUDIT REPORT\n\n\nTopeka, KS, Material\nDistribution Center \xe2\x80\x93\nInformation Technology\nGeneral Controls\n  June 11, 2014\n\n\n\n\n                  Report Number IT-AR-14-006\n\x0c                                                                      HIGHLIGHTS\n                                                                         June 11, 2014\n                                            Topeka, KS, Material Distribution Center \xe2\x80\x93\n                                            Information Technology General Controls\n                                                         Report Number IT-AR-14-006\nBACKGROUND:\nIn June 2013, the U.S. Postal Service         Additionally, management did not use a\ncompleted consolidation of all print          reliable badge system for accessing the\noperations into the National Print Center     administrative building, monitor\nin the administrative building at the         personnel access privileges, or put\nTopeka, KS, Material Distribution             alarms on emergency doors that provide\nCenter. As a result of this cost-cutting      access to computer assets in the\nmeasure, the National Print Center now        building\xe2\x80\x99s warehouse area. In addition,\nprocesses about 192,000 payroll checks        management did not have procedures in\nand 107,000 vendor checks per month           place for granting and monitoring\n(totaling about $468 million), as well as     employee access to the check printing\nearnings and Express Mail corporate           system or provide security training for\naccount statements.                           employees with access to the system.\n\nIn addition to the print operations,          Management considered the key\nthe Material Distribution Center\xe2\x80\x99s            inventory and alarms on the emergency\nadministrative building maintains a           doors to be low priorities. Also, officials\ncomputer server room that supports            were unaware of procedures related to\nsystems that manage vehicles,                 user access reviews and security\nwarehousing, inventory, and equipment.        training. Not adhering to information\n                                              security controls increases the risk of\nOur objective was to determine whether        unauthorized individuals accessing\ngeneral security controls pertaining to       sensitive information, including\nphysical access, contingency planning,        employees\xe2\x80\x99 names, addresses, and\nsecurity management, and segregation          identification numbers.\nof duties at the center\xe2\x80\x99s administrative\nbuilding provide reasonable assurance         WHAT THE OIG RECOMMENDED:\nthat computer assets, processed payroll       We recommended management\ndata, and vendor data are secure.             complete a physical key review, rekey\n                                              certain areas, and better restrict access\nWHAT THE OIG FOUND:                           to the administrative building. Further,\nContingency planning and segregation          we recommended management\nof duties were adequate; however,             periodically review employee access to\nsecurity controls related to physical         the server room and check printing\naccess and security management were           system. Finally, we recommended\nnot in place to protect computer assets       management provide information\nand data at the center\xe2\x80\x99s administrative       security training to all employees with\nbuilding. Specifically, management did        access to computer assets and data.\nnot conduct physical key reviews or\nmaintain a key inventory as required.         Link to review the entire report\n\x0cJune 11, 2014\n\nMEMORANDUM FOR:            JOHN T. EDGAR\n                           VICE PRESIDENT, INFORMATION TECHNOLOGY\n\n                           SUSAN M. BROWNELL\n                           VICE PRESIDENT, SUPPLY MANAGEMENT\n\n\n\n\nFROM:                      John E. Cihota\n                           Deputy Assistant Inspector General\n                            for Finance and Supply Management\n\nSUBJECT:                   Audit Report \xe2\x80\x93 Topeka, KS, Material Distribution\n                           Center \xe2\x88\x92 Information Technology General Controls\n                           (Report Number IT-AR-14-006)\n\nThis report presents the results of our audit of the Topeka, KS, Material Distribution\nCenter's Information Technology General Controls (Project Number 14BG002IT000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Sean D. Balduff, acting\ndirector, Information Technology, or me at 703-248-2100.\n\nAttachment\n\ncc: Corporate Audit and Response Management\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                                                                          IT-AR-14-006\n Information Technology General Controls\n\n\n\n                                               TABLE OF CONTENTS\n\nIntroduction ..................................................................................................................... 1\n\nConclusion ...................................................................................................................... 1\n\nPhysical Security ............................................................................................................. 2\n\nLogical Access Security .................................................................................................. 4\n\nInformation Security Training .......................................................................................... 4\n\nRecommendations .......................................................................................................... 4\n\nManagement\xe2\x80\x99s Comments .............................................................................................. 5\n\nEvaluation of Management\xe2\x80\x99s Comments ......................................................................... 6\n\nAppendix A: Additional Information ................................................................................. 7\n\n   Background ................................................................................................................. 7\n\n   Objective, Scope, and Methodology ............................................................................ 7\n\n   Prior Audit Coverage ................................................................................................... 8\n\nAppendix B: Management's Comments .......................................................................... 9\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                                                            IT-AR-14-006\n Information Technology General Controls\n\n\n\nIntroduction\n\nThis report presents the results of our self-initiated audit of the Topeka, KS, Material\nDistribution Center (MDC) \xe2\x88\x92 Information Technology (IT) General Controls (Project\nNumber 14BG002IT000). Our objective was to determine whether general controls\npertaining to physical access, security management, contingency planning, and\nsegregation of duties at the MDC\xe2\x80\x99s administrative building 1 provide reasonable\nassurance that computer assets2 and processed payroll and vendor data are secure.\nSee Appendix A for additional information about this audit.\n\nThe Topeka MDC provides parts, equipment, and supplies to all U.S. Postal Service\nfacilities. In 1975, the Postal Service added the Label Printing Center (LPC) to the\nTopeka MDC and, in June 2013, changed the name from the LPC to the NPC to reflect\nthe consolidation of all print operations into the new center. The NPC now carries out all\nprint functions, such as processing payroll and vendor checks, earning statements, and\nExpress Mail corporate account (EMCA) statements using the Ricoh Process Director\n(RPD or check printing) system. 3 The 35 employees working at the NPC process\nabout 192,000 payroll checks and 107,000 vendor checks per month, totaling about\n$468 million.\n\nIn addition to print operations, the MDC\xe2\x80\x99s administrative building maintains a computer\nserver room that supports the Material Distribution and Inventory Management System\n(MDIMS) 4 and the Solution for Enterprise Asset Management (SEAM). 5\n\nThe U.S. Postal Inspection Service performs site reviews to address physical security\ncontrols at Postal Service facilities. The Postal Inspection Service last reviewed security\ncontrols at the Topeka MDC in March 2012.\n\nConclusion\n\nContingency planning and segregation of duties were adequate; however, security\ncontrols related to physical access and security management were not in place to\nprotect computer assets and data at the MDC\xe2\x80\x99s administrative building. Specifically,\nmanagement did not conduct physical key reviews or maintain a key inventory as\nrequired. Additionally, management did not use a reliable badge system for accessing\nthe administrative building, monitor personnel access privileges, or put alarms on\n\n1\n  The administrative building contains the administrative offices, the National Print Center (NPC), and the center\xe2\x80\x99s\ncomputer server room.\n2\n  Computer assets include desktop and laptop computers, printers, and servers.\n3\n  The RPD system automates the printing function for multiple types of documents such as employee and vendor\nchecks, employee earning statements, and EMCA statements.\n4\n  MDIMS is used to perform material distribution, warehousing, and inventory management business functions for the\nPostal Service. MDIMS helps manage inventory for a catalog of items and provides material support for customers.\n5\n  SEAM provides inventory management and supply chain planning, and manages and services installed equipment\nand deployed vehicles.\n                                                            1\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                                                         IT-AR-14-006\n Information Technology General Controls\n\n\nemergency doors that provide access to computer assets in the building\xe2\x80\x99s warehouse\narea.\n\nManagement officials did not take these security precautions because they considered\nconducting the physical key inventory and installing alarms on the emergency doors to\nbe low priorities. Further, management officials were unaware of specific procedures\nrelated to user access reviews and security training. Not adhering to information\nsecurity controls increases the risk unauthorized individuals will access Postal Service\nIT assets and information, including employees\xe2\x80\x99 names, addresses, and identification\nnumbers.\n\nPhysical Security\n\nWe identified the following areas where physical access controls were not established\nor were not functioning as intended:\n\n\xef\x82\xa7   Management had no record of conducting a physical key review and did not\n    maintain a current physical key inventory. Instead, management kept all of the spare\n    building keys in a coffee can and a plastic tub. This occurred because management\n    considered conducting the physical key inventory to be to be a low priority. Postal\n    Service policy 6 requires management to conduct a semiannual review of all physical\n    keys and maintain an accurate inventory. During our audit, we observed\n    management initiating the process to identify and account for the center\xe2\x80\x99s spare\n    keys.\n\n\xef\x82\xa7   Management uses an obsolete and unreliable badge system to restrict physical\n    access to the facility, including areas where computer assets are stored. Specifically:\n\n    o The badge system is running on a computer using an operating system the\n      vendor no longer supports. In addition, management could not find new parts for\n      the system when repairs were needed and purchased used replacement parts\n      from eBay.\n\n    o Periodically, management relies on a spreadsheet to verify access lists because\n      accounts were lost during a power interruption.\n\n    Budget constraints prevented management from updating or replacing the current\n    badge system and managers did not document their acceptance of risk for using an\n    outdated access system.\n\n\xef\x82\xa7   Management did not review the access control list for individuals with physical\n    access to the computer server room, as required. The current IT manager was\n\n\n\n6\n Administrative Support Manual 13, Section 273.461, Key and Access Control Device Accountability, and Section\n464, Key Survey, updated November 28, 2013.\n\n\n                                                       2\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                                                              IT-AR-14-006\n Information Technology General Controls\n\n\n    unaware that Postal Service policy 7 requires designated IT managers to review\n    access control lists quarterly.\n\n\xef\x82\xa7   Management did not install alarms on three emergency exit doors that provide\n    access to those administrative building warehouse areas containing IT assets.\n    Figure 1 shows computers and printers near emergency exit doors that lead to a\n    public parking lot. Management did not think this represented an immediate threat or\n    vulnerability. Postal Service policy 8 states that it must protect its information\n    resources 9 against damage, unauthorized access, and theft in the Postal Service\n    environment. During our audit, management placed an order for new alarm systems\n    and installed them on the emergency doors on January 16, 2014; therefore, we are\n    not making a recommendation related to this issue.\n\n                                        Figure 1. IT Assets at Risk\n\n\n\n\n     Source: U.S. Postal Service Office of Inspector General (OIG) photographs taken December 17, 2013.\n\nThe Postal Inspection Service also identified these physical security issues during a\nMarch 2012 site review. When management officials do not adhere to physical access\ncontrol policies, there is an increased risk that unauthorized individuals may obtain\naccess to Postal Service assets.\n\n7\n  Handbook AS-805, Information Security, Section 7-2.4, Establishment of Access Control Lists, dated March 2014.\n8\n  Handbook AS-805, Section 7-3, Physical Protection of Information Resources.\n9\n  Information resources are all Postal Service information assets, including information systems, hardware, software,\ndata, applications, telecommunications networks, computer-controlled mail processing equipment, and related\nresources and the information they contain.\n\n\n                                                          3\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                                                            IT-AR-14-006\n Information Technology General Controls\n\n\nLogical Access Security\n\nManagement did not periodically review user access to the RPD system. The RPD\nsystem is not part of the eAccess System; 10 therefore, managers did not receive\nnotification to perform the periodic access review. Postal Service policy 11 states that\nmanagers must review access granted to personnel under their supervision to ensure\nthey still need the access to perform their duties. When there is no formal process for\nreviewing user access to Postal Service systems, there is an increased risk that\nunauthorized individuals may have access to sensitive information, such as an\nemployee\xe2\x80\x99s name, address, and identification number.\n\nDuring our audit, management began reviewing user access by taking steps to add the\nRPD system to the eAccess system. We reviewed the RPD user list on\nFebruary 12, 2014, and determined management removed 26 inactive accounts.\n\nInformation Security Training\n\nManagement did not always provide information security training to employees with\naccess to sensitive Postal Service information resources. Specifically, none of the nine\nemployees with \xe2\x80\x9coperator\xe2\x80\x9d 12 access to the RPD system received information security\ntraining because the MDC manager thought only managers needed this training. Postal\nService policy 13 states that all personnel with access to Postal Service information\nresources must participate in annual information security training. Users who do not\nreceive this training may not be aware of their responsibilities or the actions they can\ntake to protect the Postal Service\xe2\x80\x99s information.\n\nRecommendations\n\nWe recommend the vice president, Supply Management, direct the manager, Operating\nAsset Fulfillment, to:\n\n1. Perform a physical key review and maintain an accurate key inventory for the\n   Topeka Material Distribution Center's administrative building.\n\n2. Rekey doors to those areas in the Material Distribution Center's administrative\n   building with keys that are unaccounted for based on the physical key review.\n\n3. Develop an action plan to update the badge access system or other reliable\n   compensating controls to restrict access to the Material Distribution Center's\n   administrative building.\n\n\n\n10\n   The system is used to request and approve access to Postal Service applications.\n11\n   Handbook AS-805, Section 9-3.2.5, Periodic Review of Access Authorization.\n12\n   Operator access allows a person to perform certain functions such as enabling, disabling, and changing computer\njob scheduling properties.\n13\n   Handbook AS-805, Section 6-5.3, Training Requirements \xe2\x80\x93 Annual Training.\n\n\n                                                         4\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                                     IT-AR-14-006\n Information Technology General Controls\n\n\n4. Develop a process to ensure required user access to the Ricoh Process Director\n   application is periodically validated and documented.\n\n5. Provide information security training annually to all personnel with access to Postal\n   Service information resources at the Topeka Material Distribution Center\xe2\x80\x99s\n   administrative building.\n\nWe recommend the vice president, Information Technology, direct the manager,\nSystems Solutions, to:\n\n6. Perform quarterly reviews of individuals with access to the Topeka Material\n   Distribution Center's computer server room.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the findings and with recommendations 1 through 4 and 6,\nand partially agreed with recommendation 5.\n\nIn response to recommendation 1, management performed a complete physical key\nreview and inventoried, documented, and secured all excess keys. Management plans\nto continue periodic physical key reviews.\n\nIn response to recommendation 2, management rekeyed all required doors in the\nadministrative area of the MDC.\n\nIn response to recommendation 3, management completed a risk assessment of the\nbadge access system with the assistance of the Postal Inspection Service. The\nassessment concluded the badge access system was functioning but a reassessment\nwill be needed if system replacement parts become unavailable. Management instituted\ncompensating controls to restrict access to the MDC\xe2\x80\x99s administrative building.\n\nIn response to recommendation 4, management added the RPD to the Postal Service\xe2\x80\x99s\neAccess System. Employees are required to request and receive approval to use this\nsystem and it provides for periodic reviews to validate the need for access.\n\nIn response to recommendation 5, management stated that information security training\nis not available for bargaining unit employees but agreed non-bargaining employees\nshould be trained; therefore, management will issue a communication to all non-\nbargaining employees at the Topeka MDC to complete annual security awareness\ntraining by July 31, 2014.\n\nIn response to recommendation 6, management reviewed the records of individuals with\naccess to the Topeka MDC\xe2\x80\x99s computer room in conjunction with the compensating\ncontrols instituted in recommendation 3. Management will continue these reviews\nquarterly.\n\n\n\n\n                                             5\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                                    IT-AR-14-006\n Information Technology General Controls\n\n\nSee Appendix B for management\xe2\x80\x99s comments, in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations and\ncorrective actions should resolve the issues identified in the report. The OIG considers\nrecommendation 3 significant. Since we concur with the actions taken,\nrecommendation 3 can be closed in the Postal Service\xe2\x80\x99s follow-up tracking system with\nthe issuance of this report.\n\n\n\n\n                                             6\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                                                               IT-AR-14-006\n Information Technology General Controls\n\n\n\n                                 Appendix A: Additional Information\n\nBackground\n\nThe Topeka MDC provides parts, equipment, and supplies support to all Postal Service\nfacilities, including facilities in Hawaii, the Caribbean Islands, and Alaska. The MDC\xe2\x80\x99s\nmission is to warehouse and distribute repair parts and supplies in an accurate,\nresponsive, cost-effective, and consistent manner. The warehouse facility contains\nabout 950,000 square feet of floor space that accommodates 26,000 items.\n\nIn June 2013, the Postal Service completed the final stage of a three-phase project to\nreduce its printing costs. As a result, the Postal Service changed the LPC's 14 name to\nthe NPC to reflect the consolidation of all print operations into the new center. The NPC\nalso maintains the RPD system used to print jobs from the mainframe. RPD automates\nthe printing function for payroll, vendor payments, and employee earning statements.\n\nObjective, Scope, and Methodology\n\nOur objective was to determine whether general controls pertaining to physical access,\nsecurity management, contingency planning, and segregation of duties at the Topeka\nMDC\xe2\x80\x99s administrative building provide reasonable assurance that computer assets and\nprocessed payroll and vendor data are secure.\n\nTo meet our objective, we reviewed relevant security policies and procedures and\ninterviewed Postal Service management and other IT staff as necessary. We obtained\nand reviewed documents related to the controls listed above and observed operations\nat the facility. In addition, we observed and evaluated physical security controls at the\nfacility.\n\nWe conducted this performance audit from November 2013 through June 2014, in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective. We discussed our\nobservations and conclusions with management on May 13, 2014, and included their\ncomments where appropriate.\n\nWe did not assess the reliability of any computer-processed data for the purposes of\nthis report. The computer-processed data analyzed during the audit provided the\ncontext for the environment audited and did not significantly affect the findings,\nconclusion, or recommendations in this report.\n\n14\n  In support of mail processing automation initiatives for postal and mailer operations, the Postal Service formed the\nLPC in 1975. It consolidated six printing centers across the U.S.\n\n\n                                                           7\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                                        IT-AR-14-006\n Information Technology General Controls\n\n\n\nPrior Audit Coverage\n\nThe OIG did not identify any prior audits or reviews related to the objective of this audit.\n\n\n\n\n                                              8\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93                      IT-AR-14-006\n Information Technology General Controls\n\n\n\n                            Appendix B: Management's Comments\n\n\n\n\n                                             9\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93        IT-AR-14-006\n Information Technology General Controls\n\n\n\n\n                                             10\n\x0cTopeka, KS, Material Distribution Center \xe2\x80\x93        IT-AR-14-006\n Information Technology General Controls\n\n\n\n\n                                             11\n\x0c"